Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/12/2021
10:00 AM
Mark Wojtasiak
Mark Wojtasiak
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

Over-Sharer or Troublemaker? How to Identify Insider-Risk Personas

It's past time to begin charting insider risk indicators that identify risky behavior and stop it in its tracks.



You've heard that Twitter was hacked. And the CIA. And that a malicious Desjardins employee caused the largest ever data breach in the Canadian financial services sector. And how about the automobile insurance company that inadvertently gave up the driver license information for 27 million policyholders in Texas?

The thing these high-profile breaches have in common is that they were all undertaken by insiders. Whether committed on purpose for financial gain or as a a result of human error, insider risk took a hit on these powerful organizations' revenue and reputations.

Related Content:

US State Dept. Shares Insider Tips to Fight Insider Threats

How Data Breaches Affect the Enterprise

Loyal Employee...or Cybercriminal Accomplice?

Despite the growing risk, data security events caused by insiders are not being taken seriously. New research in the Code42 Data Exposure Report notes that more than half (54%) of IT security leaders spend less than 20% of their budget on insider risk, and 66% of IT security leaders say their budget for insider risk is insufficient. This is a major problem for organizations around the world as users, applications, and data continue to move outside the hardened data center and corporate perimeter as part of digital transformation policies. And, unfortunately, it's going to get worse before it gets better. In their most recent predictions, Forrester says that insider incidents will be the cause of 33% of data breaches in 2021, up from 25% in 2020.

Learn to Recognize the Personas that Pose the Greatest Insider Risk
Organizations need to lock down insider risk to data without inhibiting the user experience or creating roadblocks. This requires building a culture of trust where employees are given the benefit of the doubt and trusted to act professionally with the best interests of the organization in mind. Then, instead of monitoring every activity by every user, organizations should look at insider risk indicators (IRIs) to identify risky behavior and create actionable information to stop it in its tracks.

Here are three personas that you need to watch out for when determining insider risk across your organization:

The Over-Sharer
We all have some of these in our lives — the people from the office who are always quick to email a document to a wide distribution. Or they upload a file to a cloud service, or post sensitive information in an unauthorized application. They think they're helping by giving people quick access to valuable information, and they aren't afraid to cut corners to get the job done. Behind the scenes, you just know they are saving files to their personal devices and cloud accounts with little consideration for privacy and security protocols. These people are not malicious, just victims of poor judgment or human error. But their actions result in the same vulnerabilities from malicious actors that keep security professionals up at night.

The Guy with One Foot Out the Door
Their exact motivations could vary, but make no mistake; people who have made the decision to leave the company and take critical information with them are only looking out for themselves. This could be projects they've worked on that they'd like to save in their portfolio. A database of customers they could win over to a competitor. Or just a report with a great format that they'd like to duplicate in their new job. Regardless, the information they take with them can negatively impact your organization's ability to do business, compete fairly against competitors, and protect customer privacy. When you read about court cases involving IP theft, you can often link them to the guy with one foot out the door. 

The Troublemaker
While rare, this is among the most disruptive in the bunch. There are a few varieties of troublemakers, including a mole or insider for hire. Troublemakers are likely out to make a buck by selling corporate information. They may be engaging in some corporate espionage. Maybe they have political motivations to be disruptive or engage in sabotage. We most often see this kind of troublemaker in sectors with lucrative R&D programs – think tech, telecom, biotech or big pharma. The US government's case against Huawei is a prime example from the telecom space.

Infrequently, tech-savvy individuals, who often don't intend to do harm, want to find out how things work and may conduct their own unsponsored "security testing." Whether out of curiosity, boredom, or arrogance, they take it upon themselves to see if security controls actually work, which is likely at odds with acceptable use policies, can erroneously be seen as an attempt to test monitoring capabilities for a later exfiltration, and is a distraction for security teams. While we don’t want to dampen a curious spirit, this may not be the best outlet for their tinkering because the end result creates insider risk nonetheless.

You Don't Have to Compromise
Insider risk management doesn't have to come at the expense of productivity, innovation or collaboration. Identifying abnormal behavior and top IRIs is key to protecting the organization from both malicious and unintentional harm without disrupting operations. From the Over-Sharer to the Troublemaker, it's important that you know the personas that are putting your data and your organization at risk. 

 

Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore, vice president of portfolio marketing for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...